11 July, 2019
On 09 July 2019, the Information Commissioner's Office (ICO) announced that it intended to fine Marriott International, Inc more than £99 milllion for breaches of the General Data Protection Regulation (GDPR).
The ICO confirmed that it has conducted an investigation into Marriot International following a cyber security incident. It is understood that there was a hack of around 30 million guest records, including credit card details, passport numbers and dates of birth. The guest records contained details of guests in 31 different countries in the European Economic Area (EEA) and around 7 million of those related to residents in the UK. The ICO has stated that the cyber security incident appeared to begin when the systems of the Starwood hotels group were compromised in 2014. Marriot International then acquired the Starwood hotels group in 2016 but the hack of guest records was not discovered until last year. The announcement from the ICO stated that Marriot International had failed to undertake sufficient due diligence when it acquired Starwood hotels group and should have done more to make sure its IT systems were secure.
Marriot International will now have the opportunity to make representations to the ICO as to the findings of the investigation and the proposed level of fine. The ICO has conducted the investigation alongside other European supervisory authorities whose residents have been affected by the breach and they will also have the opportunity to make representations to the ICO about its findings.
This is the second notice of intention to fine organisations in two days. On 08 July 2019, the ICO announced that it intended to fine British Airways £183 million after a cyber security incident involving the personal details of around 500,000 British Airways customers. The proposed fines are further evidence of the ICO flexing its new powers under the GDPR as it is now able to impose fines which amount to 4% of an organisation's annual global turnover.
Once the ICO has considered the representations made by Marriott International and the other EU supervisory authorities, it will publish a notice of the fine along with an explanation as to how that figure has been reached. The level of fine will take into account how Marriott International responded to the breach when they were notified and its cooperation with the ICO.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.